These companies are not found only in the geographical area previously targeted by Patchwork operations but are also in the UK and the U.S.

The group did not update its tactics, techniques, and procedures and continued to use spear-phishing emails with the same theme that revolved around China’s external political relations.

In the vast majority of cases, these emails included malicious PowerPoint files that attempted to use the CVE-2014-4114 exploit to install malware on the target’s PC, as Cymmetria said.

In the new campaign, Word documents deployed exploits for CVE-2015-1641 and CVE-2012-0158 also ended up used, and in some cases, the spear-phishing emails didn’t come with an attachment but contained links to a website from where the user would download the malicious file themselves.

Symantec said these files tried to install the Enfourks (via PowerPoint files) and Steladok (via Word files) backdoor Trojans, which would collect sensitive information from infected computers and upload it to online servers.